Gaël Roualland wrote:
> We are setting up an LDAP server for a huge database (5 million
> entries), and openldap performs very slow on index building with it,
> spending a very long time building the substring dn index (dn.dbb). Is
> there a configuration way to disable it (or just build an eq index) ? We
> don't really need that index in our context and it would speed up
> things.
I think that, currently, the ability to do substring searches on the
dn is closely coupled to the ability to do subtree-scope searches.
The workaround would be to skip that part in search.c in the backend.
There is a fragment in search_candidates that reads:
if ( scope == LDAP_SCOPE_SUBTREE ) {
lf = (Filter *) ch_malloc( sizeof(Filter) );
lf->f_next = NULL;
lf->f_choice = LDAP_FILTER_AND;
lf->f_and = (Filter *) ch_malloc( sizeof(Filter) );
lf->f_and->f_choice = LDAP_FILTER_SUBSTRINGS;
lf->f_and->f_sub_type = ch_strdup( "dn" );
lf->f_and->f_sub_initial = NULL;
lf->f_and->f_sub_any = NULL;
lf->f_and->f_sub_final = ch_strdup( e->e_ndn );
lf->f_and->f_next = f;
f = lf;
If you skip it, the whole backend will be searched (does not mean
necessarily a sequential read, other indexed attributes may limit
the searches). False hits will be filtered out later. This is
harmless, since on a large database the result of that partial
filter at the initial search on indexes will always be ID
BLOCK_ALLIDS_VALUE anyway.
But I have not tried this.
> On a side note, is there a way to change the default special attributes
> names (objectClass, userPassword) to something else ?
No. The name objectClass is sacred. And userPassword is hardwired for
binding. Why would you want to do that? Maybe access lists are what you
are looking for.
Julio